By 
Cybersecurity and Software Bill of Materials (SBOM) for Real-Time Operating Systems (RTOS) have traditionally been accessible only through highly specialized experts, requiring extensive manual effort. However, new automation techniques are now making the analysis of Real-Time Operating Systems easier than ever before.
Real-Time Operating Systems (RTOS) are increasingly being used in safety-critical applications such as medical technology, the automotive industry, and aerospace. This raises the growing question of security: How well are RTOS protected against cyberattacks?
RELATED: MTN confirms cybersecurity breach, assures core infrastructure and customer accounts remain secure
One answer comes from the Düsseldorf-based cybersecurity company ONEKEY, whose Product Cybersecurity & Compliance Platform (OCP) now automatically generates Software Bill of Materials (SBOM) for Real-Time Operating Systems in just minutes, while also checking for vulnerabilities and malicious code. CEO Jan Wendenburg explained: “We are currently experiencing a significant rise in demand for security assessments of real-time operating systems from a wide range of industries.”
Edge Computing Drives the Adoption of RTOS
The need for security testing is becoming even more urgent as Real-Time Operating Systems (RTOS) continue to evolve rapidly, for instance, to enable parallel processing in complex systems. At the same time, the integration of AI and machine learning workloads into RTOS is advancing, particularly for applications like autonomous vehicles or smart sensors.
A key driver of this trend is the rise of Edge Computing – the processing of data captured by sensors directly on a device before it is transmitted to the cloud. This requires the devices themselves, as typical RTOS applications, to be equipped with sufficient “intelligence”.
An example of this are modern IP cameras, where faces captured by the camera are already pixelated within the device, ensuring that the transmitted images do not contain personal data and thus inherently comply with GDPR regulations. “With the rise of Edge Computing, more and more ‘intelligence’ is being pushed to the edge of IT systems, into sensors and actuators,” said Jan Wendenburg. Looking to the future, he added: “This development will continue as consumer electronics become smarter, extending through industrial manufacturing and into Smart Buildings.”
The convergence of Linux and Open Source
Another trend is the growing presence of Chinese RTOS developments, particularly in the automotive sector. “The use of a Chinese open-source RTOS naturally raises security concerns, and reliable answers are urgently needed before widespread adoption occurs,” stated Jan Wendenburg, highlighting the increasing demand for RTOS testing on ONEKEY’s Product Cybersecurity & Compliance Platform. He added, “Current geopolitical developments are amplifying the call for higher security in connected devices.”
Furthermore, the traditional boundaries between Real-Time Operating Systems and general-purpose systems like Linux are increasingly disappearing. For some time now, hybrid solutions have been on the market that can cover both resource-limited devices and more complex systems. “With the convergence, cyber threats also increase because vulnerabilities can creep in from both sides,” explained Jan Wendenburg, outlining the connections.
Rising Legal Requirements
All of these developments are driving a sharp increase in demand for RTOS security assessments, primarily fueled by two factors: the genuine drive for maximum protection against cybercrime, and the growing regulatory requirements to demonstrate this protection through appropriate, well-documented measures.
“With the ONEKEY platform, we offer a solution to a problem that is becoming increasingly urgent due to stricter legislation regarding cybersecurity, even for embedded systems, and the sharply increasing waves of cyberattacks,” said Jan Wendenburg. “From Firmware to Compliance in One Place” is how the Düsseldorf-based security company describes its approach.
RTOS Operate in Countless Connected Devices
Real-Time Operating Systems are found across a wide range of industries and devices. These include professional applications such as engine control units, anti-lock braking systems, airbags, or infotainment in the automotive sector, patient monitoring devices or infusion pumps in healthcare, flight control systems, navigation or satellite control in aerospace, as well as the entire industrial automation sector. A variety of consumer electronics and household appliances also fall into this category, ranging from set-top boxes to interactive children’s toys. Estimates suggest that the number of devices running on an RTOS is likely in the tens of billions.
“All of these devices represent potential entry points for threat actors,” explained Jan Wendenburg. The solution developed by ONEKEY as a remedy includes a multi-stage security analysis. This begins with identifying the RTOS firmware components and continues with determining the versions and locating known and potentially unknown security vulnerabilities. Next, the vulnerabilities are assessed to identify and address critical risks in the RTOS. An optional, automated compliance check enables quick identification of vulnerabilities relevant to cybersecurity standards such as IEC62443-4-2, the EU Cyber Resilience Act, and many other regulations. This significantly simplifies audit preparation.
ONEKEY Product Cybersecurity & Compliance Platform
ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of the automated ONEKEY Product Cybersecurity & Compliance Platform (OCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.
Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access. Proactively audit software supply chains with integrated software bill of materials (SBOM) generation. “Digital Cyber Twins” enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.
The patent-pending, integrated Compliance Wizardâ„¢ already covers the EU Cyber Resilience Act (CRA) and requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.
The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.
Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform (OCP) and ONEKEY Cybersecurity Experts.
